Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp668194rdb; Tue, 19 Sep 2023 07:01:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGFYvaTRROAbe5WeD0LJUpIKe1NXFOxsWOyd+R1Xi/HLbTMh2i1GjkkMVCXAvz5bDx6A0rw X-Received: by 2002:a17:902:7e8a:b0:1c1:ed61:e058 with SMTP id z10-20020a1709027e8a00b001c1ed61e058mr10482228pla.16.1695132093420; Tue, 19 Sep 2023 07:01:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695132093; cv=none; d=google.com; s=arc-20160816; b=yzNoI1jSNtpwzahFfiCI2JgSP7L6dhATt1X2iiN1bEK73QBbIi0o4tngSdgCj4ve5N GcWS7rX5HEpvNjMebaOsO9Bv7yS263GK8Vxs/H6Zy1G7VzgtNJgV2/Q9dfaD2kEq0sY/ F88/D15GezVoaFqAKfHnxCb9MwSweCIuQrYHn0Ie89i5e28MLdj9pvAt1tSMhza45S54 jRFIXih7IgypQH0jDtc2Qq5BCO54WM+8CNtvzlFKfZnA7jl6mXMGLU8xC2Xt93TCUBcv /eippvImCCVZi+dxtWmoiqBLqTkcRQBv0Wh9yOlvw71Zq42jZb83Pr8hyHji+9V0WO4h qXqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:content-transfer-encoding:mime-version :message-id:date:subject:from:dkim-signature; bh=yuIGlXn+RtDx+ctPwiNoWY6BjjbOH+3V676or7U5v2Y=; fh=vdy8fLmkzgLosg2v5sVYMftPpjJTf1v+KansN80xFQ8=; b=OFWQAV93aee534X5Byb5FIpf3gRd00sXsdH3MD3Y23sjlM0jMe/antqdDLkz9UOsZC JXISAfCTtKd6YVV31Es+GCGhnn3GoKr7F5OVt2p0ut8ilYbtM5wraOVPNiFFRBKaC6Zt wYiZRGJ9IUSYjQw8Scggio9PqqxQkA/Cx2rDnmeqIFJw1IoInCxSg3vf3rKCsx7zx5/O IAZRX7F+COdV+oxzd+PgR9JNJ5kqSbouSkNP01KWLtkHV+1sTshKSa9tmf2Lsm2emOrb KYw4hCdVltYVWbQk2j/UnDP4Wn1RMwbwqRSznB2JcvQ1YA3cgmYUf9wGH+Aiaid5GtD1 R/dw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@avm.de header.s=mail header.b=uEhbfVov; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=avm.de Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id q6-20020a17090311c600b001b9fb1a0465si10028400plh.385.2023.09.19.07.01.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Sep 2023 07:01:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@avm.de header.s=mail header.b=uEhbfVov; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=avm.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id C299D81E3E33; Tue, 19 Sep 2023 05:17:59 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231766AbjISMRm (ORCPT + 99 others); Tue, 19 Sep 2023 08:17:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231945AbjISMR1 (ORCPT ); Tue, 19 Sep 2023 08:17:27 -0400 Received: from mail.avm.de (mail.avm.de [212.42.244.94]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82EE8CF4; Tue, 19 Sep 2023 05:16:36 -0700 (PDT) Received: from mail-auth.avm.de (unknown [IPv6:2001:bf0:244:244::71]) by mail.avm.de (Postfix) with ESMTPS; Tue, 19 Sep 2023 14:16:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=avm.de; s=mail; t=1695125794; bh=4wWW7PThUEy/0/1cw0DJ8Iedw0+ZXiRRLL2Wplmz8kc=; h=From:Subject:Date:To:Cc:From; b=uEhbfVov5qB6MXdjIKtZtKFpmnMg1/rdute8l4fk71bL3KL4RbIXnDIZt8spHkEfG umwHve3uQsXC0rpCqSeW9xze62WmBD/s0r9SCv4zpLdD3xCa44K96+x3dgyMpp9wUU Va1IzP4l3S4XIIyYguYk8CRZW4ogABtwbYDGJomI= Received: from localhost (unknown [172.17.88.63]) by mail-auth.avm.de (Postfix) with ESMTPSA id E1ED582000; Tue, 19 Sep 2023 14:16:33 +0200 (CEST) From: Johannes Nixdorf Subject: [PATCH net-next v4 0/6] bridge: Add a limit on learned FDB entries Date: Tue, 19 Sep 2023 10:12:47 +0200 Message-Id: <20230919-fdb_limit-v4-0-39f0293807b8@avm.de> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAP9XCWUC/02NywrCMBBFf6XM2khsG/tY+R9SJI+JHbCpJCFUS v7dUFy4PJzLuTsE9IQBxmoHj4kCra5Ae6pAz9I9kZEpDDWvGz7wllmjHi9aKDIrUShlL1fd91D 2b4+WtqN1B4eROdwiTMXMFOLqP8dJag7/64m/XmoYZ50YOm0E57KvbzItZ4Mw5Zy/5r9a/qkAA AA= To: "David S. Miller" , Andrew Lunn , David Ahern , Eric Dumazet , Florian Fainelli , Ido Schimmel , Jakub Kicinski , Nikolay Aleksandrov , Oleksij Rempel , Paolo Abeni , Roopa Prabhu , Shuah Khan , Vladimir Oltean Cc: bridge@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Johannes Nixdorf X-Mailer: b4 0.12.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1695111167; l=4268; i=jnixdorf-oss@avm.de; s=20230906; h=from:subject:message-id; bh=JapsvU38KZCfbiZTIg1IrJQMTOijSxqXyV04LE6TqvE=; b=LSlEhsCt1N4SZEhIdcd9TP66IqZACgNTfLJM+wis+YTtb90REsOeW17n3OtoFXL/TTuAWyNpq zE/Z7+CT/jwCI1wQVO3cel7EtNciNaIOqaNjLxKSKFU11wlAT7BKy0y X-Developer-Key: i=jnixdorf-oss@avm.de; a=ed25519; pk=KMraV4q7ANHRrwjf9EVhvU346JsqGGNSbPKeNILOQfo= X-purgate-ID: 149429::1695125794-C6E28D5A-CDE09CF7/0/0 X-purgate-type: clean X-purgate-size: 4308 X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean X-Spam-Status: No, score=0.2 required=5.0 tests=DATE_IN_PAST_03_06, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 19 Sep 2023 05:18:00 -0700 (PDT) Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit the number of entries. Currently the manual entries are identified by the bridge flags BR_FDB_LOCAL or BR_FDB_ADDED_BY_USER, atomically bundled under the new flag BR_FDB_DYNAMIC_LEARNED. This means the limit also applies to entries created with BR_FDB_ADDED_BY_EXT_LEARN but none of BR_FDB_LOCAL or BR_FDB_ADDED_BY_USER, e.g. ones added by SWITCHDEV_FDB_ADD_TO_BRIDGE. Link to the corresponding iproute2 changes: https://lore.kernel.org/netdev/20230919-fdb_limit-v4-1-b4d2dc4df30f@avm.de/ Signed-off-by: Johannes Nixdorf --- Changes in v4: - Added the new test to the Makefile. (from review) - Removed _entries from the names. (from iproute2 review, in some places only for consistency) - Wrapped the lines at 80 chars, except when longer lines are consistent with neighbouring code. (from review) - Fixed a race in fdb_delete. (from review) - Link to v3: https://lore.kernel.org/r/20230905-fdb_limit-v3-0-7597cd500a82@avm.de Changes in v3: - Fixed the flags for fdb_create in fdb_add_entry to use BIT(...). Previously we passed garbage. (from review) - Set strict_start_type for br_policy. (from review) - Split out the combined accounting and limit patch, and the netlink patch from the combined patch in v2. (from review) - Count atomically, remove the newly introduced lock. (from review) - Added the new attributes to br_policy. (from review) - Added a selftest for the new feature. (from review) - Link to v2: https://lore.kernel.org/netdev/20230619071444.14625-1-jnixdorf-oss@avm.de/ Changes in v2: - Added BR_FDB_ADDED_BY_USER earlier in fdb_add_entry to ensure the limit is not applied. - Do not initialize fdb_*_entries to 0. (from review) - Do not skip decrementing on 0. (from review) - Moved the counters to a conditional hole in struct net_bridge to avoid growing the struct. (from review, it still grows the struct as there are 2 32-bit values) - Add IFLA_BR_FDB_CUR_LEARNED_ENTRIES (from review) - Fix br_get_size() with the added attributes. - Only limit learned entries, rename to *_(CUR|MAX)_LEARNED_ENTRIES. (from review) - Added a default limit in Kconfig. (deemed acceptable in review comments, helps with embedded use-cases where a special purpose kernel is built anyways) - Added an iproute2 patch for easier testing. - Link to v1: https://lore.kernel.org/netdev/20230515085046.4457-1-jnixdorf-oss@avm.de/ Obsolete v1 review comments: - Return better errors to users: Due to limiting the limit to automatically created entries, netlink fdb add requests and changing bridge ports are never rejected, so they do not yet need a more friendly error returned. --- Johannes Nixdorf (6): net: bridge: Set BR_FDB_ADDED_BY_USER early in fdb_add_entry net: bridge: Set strict_start_type for br_policy net: bridge: Track and limit dynamically learned FDB entries net: bridge: Add netlink knobs for number / max learned FDB entries net: bridge: Add a configurable default FDB learning limit selftests: forwarding: bridge_fdb_learning_limit: Add a new selftest include/uapi/linux/if_link.h | 2 + net/bridge/Kconfig | 13 + net/bridge/br_device.c | 2 + net/bridge/br_fdb.c | 42 ++- net/bridge/br_netlink.c | 17 +- net/bridge/br_private.h | 4 + tools/testing/selftests/net/forwarding/Makefile | 3 +- .../net/forwarding/bridge_fdb_learning_limit.sh | 283 +++++++++++++++++++++ 8 files changed, 359 insertions(+), 7 deletions(-) --- base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70 change-id: 20230904-fdb_limit-fae5bbf16c88 Best regards, -- Johannes Nixdorf